JSESSIONID issues, Stale Session. (SameSite issue?)

Ryan Larscheidt larscheidt at wisc.edu
Fri Jan 21 19:04:05 UTC 2022 

We have Apache proxying to the IdP, so I put in the following config to decorate all cookies missing a SameSite attribute with SameSite=None if the user agent identifies itself as Chrom(e|ium) >= 80 and Firefox >= 79, to avoid breaking older browsers.  I'm not sure how correct this configuration is, but it seems to be working for us.

    # Add SameSite attribute to cookies for Chrome / Chromium 80+ (matches Edge too)
    RewriteCond %{HTTP_USER_AGENT} "Chrom[^ \/]+\/(\d+)[\.\d]*"
    RewriteCond %1 "-ge 80"
    RewriteRule .* - [env=SAMESITE:1]

    # Add SameSite attribute to cookies for Firefox 79+
    RewriteCond %{HTTP_USER_AGENT} "Firefox\/(\d+)[\.\d]*"
    RewriteCond %1 "-ge 79"
    RewriteRule .* - [env=SAMESITE:1]

    # Add SameSite=None when SAMESITE is true and cookie doesn't have SameSite already set (case-insensitive match).
    # Need always and onsuccess directives because there are different header tables and neither is a superset of the other.
    Header always    edit Set-Cookie (?i)^(?!.*SameSite.*)(.+)$ "$1; SameSite=None" env=SAMESITE
    Header onsuccess edit Set-Cookie (?i)^(?!.*SameSite.*)(.+)$ "$1; SameSite=None" env=SAMESITE

Thanks,
Ryan

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Friday, January 21, 2022 07:16
To: Shib Users <users at shibboleth.net>
Subject: Re: JSESSIONID issues, Stale Session. (SameSite issue?)

On 1/21/22, 7:41 AM, "users on behalf of Duncan Brannen via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
>    Does anyone know under what circumstances the jsessionID value is replaced?

Your container's/choice of session-timeout value.

-- Scott


--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220121/0776a942/attachment.htm>

More information about the users mailing list